You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Sai Pullabhotla (JIRA)" <ji...@apache.org> on 2009/09/07 19:30:57 UTC
[jira] Resolved: (FTPSERVER-323) Add a new configuration option for
enabling/disabling IP check when accepting passive data connections
[ https://issues.apache.org/jira/browse/FTPSERVER-323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sai Pullabhotla resolved FTPSERVER-323.
---------------------------------------
Resolution: Fixed
> Add a new configuration option for enabling/disabling IP check when accepting passive data connections
> ------------------------------------------------------------------------------------------------------
>
> Key: FTPSERVER-323
> URL: https://issues.apache.org/jira/browse/FTPSERVER-323
> Project: FtpServer
> Issue Type: New Feature
> Components: Core
> Affects Versions: 1.0.2
> Reporter: Sai Pullabhotla
> Fix For: 1.1.0
>
> Attachments: FTPSERVER-323.patch
>
>
> In the current version it is possible for a hacker to connect to any passive port that is currently waiting for a connection and read/write data off that connection. We should implement a check in place to make sure the IP address of the remote host is same as the one we are expecting, if not, close the data connection right way. After closing the data connection we can do one of the following:
> 1. Wait for incoming connection again so the original client can connect
> 2. just quit and send a reply back to the client that the data connection is closed. We need to figure out what reply we want to send in this case.
> What do you guys think we should do?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.